On Mon, Apr 8, 2013 at 3:47 PM, H. Peter Anvin <h...@zytor.com> wrote: > On 04/08/2013 03:43 PM, Kees Cook wrote: >> This makes the IDT unconditionally read-only. This primarily removes >> the IDT from being a target for arbitrary memory write attacks. It has >> an added benefit of also not leaking (via the "sidt" instruction) the >> kernel base offset, if it has been relocated. >> >> Signed-off-by: Kees Cook <keesc...@chromium.org> >> Cc: Eric Northup <digitale...@google.com> > > This isn't quite what this patch does, though, right? There is still a > writable IDT mapping at all times, which is different from a true > readonly IDT, no?
Ah, I guess that's true. I suppose I should say it makes the memory seen at the "sidt" location read-only. Can we make them both read-only? -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
